Understanding Air-Gapped Security
An air-gapped system is a computer or network that is physically isolated from unsecured networks, including the internet and any other networks that might be connected to the outside world. This complete physical separation is the ultimate defense against remote attacks, making air-gapped systems ideal for the most sensitive security operations.
Why Use an Air-Gapped System for Cryptographic Keys?
When it comes to cryptographic key management, the most critical vulnerability is exposure of your private keys. An air-gapped system provides several crucial security advantages:
- No remote access possible: Eliminates the risk of network-based attacks
- Protection from malware: No connectivity means malware can't communicate with command servers
- Physical control: Requires physical access to compromise the system
- Minimized attack surface: Reduces potential vulnerabilities dramatically
- Persistent security: Maintains protection even against zero-day exploits
Security Alert
The Master Key Protection Principle
Your master signing key should ideally never touch an internet-connected computer. By generating and maintaining it exclusively on an air-gapped system, you can create subkeys for daily use while keeping your master identity completely isolated from online threats.
Creating an Air-Gapped System
Setting up a proper air-gapped system requires careful planning and strict adherence to isolation principles.
Essential Hardware Components
- Dedicated computer: Ideally a new laptop with minimal components (no Wi-Fi, Bluetooth, or cellular hardware)
- Removable storage media: USB drives, SD cards, or optical discs for transferring data
- Hardware security: Consider physical security features like lockable cases, tamper-evident seals, etc.
- External peripherals: If needed, dedicated keyboard, mouse, printer (never shared with online systems)
Selecting an Operating System
The ideal operating system for an air-gapped machine emphasizes security, minimalism, and verifiability:
- TAILS: Amnesic live system designed for privacy and leaving no traces
- Qubes OS: Security-focused OS with strong compartmentalization
- Debian: Stable Linux distribution with minimal default installation
- OpenBSD: Security-focused operating system with exceptional code quality
Whichever OS you choose, follow these principles:
- Verify the ISO/installation media cryptographically before installation
- Perform a clean, minimal installation with only necessary components
- Configure full-disk encryption with a strong passphrase
- Remove or disable all unnecessary services and daemons
- Configure strict firewall rules (even though it's air-gapped, defense in depth is important)
Air-Gap Setup Procedure
- Physical isolation: Choose a secure location for your air-gapped system
- Hardware preparation:
- If possible, physically remove wireless components (Wi-Fi cards, Bluetooth modules, cellular modems)
- Disable wireless capabilities in BIOS/firmware if removal isn't possible
- Disable unnecessary ports and peripherals
- Consider covering microphones, cameras, and unused ports with tamper-evident tape
- Clean OS installation:
- Download the OS on a separate computer and verify checksums
- Create installation media
- Install on the air-gapped machine
- Never connect the machine to any network during or after installation
- Software installation:
- Install only necessary cryptographic tools (GnuPG, etc.)
- Transfer software packages via verified media
- Verify all package signatures before installation
Warning
True Air-Gap Discipline
An air-gapped system is only as secure as your operational discipline. Once a device has been connected to the internet, it should never be considered truly air-gapped again. Maintain strict separation between your air-gapped environment and connected systems.
Cryptographic Operations on an Air-Gapped System
With your air-gapped system ready, you can perform the most sensitive cryptographic operations with maximum security.
Key Generation
Generating keys on an air-gapped system ensures they are never exposed to network threats:
# Generate a high-security master key
gpg --expert --full-generate-key
When generating your master key, consider these settings for maximum security:
- Key type: RSA and RSA (traditional) or ECC (Elliptic Curve Cryptography) if you need modern algorithms
- Key size: 4096 bits for RSA, appropriate curves for ECC
- Validity period: 2-3 years (you can always extend it later)
- Strong, unique passphrase that you can reliably remember
Creating Subkeys for Daily Use
After generating your master key, create specialized subkeys for different purposes:
# Edit the key to add subkeys
gpg --expert --edit-key [email protected]
# In the GPG prompt
addkey # Add an encryption subkey
addkey # Add a signing subkey
addkey # Add an authentication subkey
save
These subkeys will be the ones you transfer to your everyday systems, while keeping the master key safely air-gapped.
Backup Procedures
Secure backups are essential for air-gapped keys:
- Full key backup:
# Export your entire key with private key material (keep this extremely secure) gpg --export-secret-keys --armor [email protected] > master-key-backup.asc # Optionally encrypt the backup file itself gpg --symmetric --cipher-algo AES256 master-key-backup.asc - Paper backup:
# Using paperkey to create a printable version of your private key gpg --export-secret-keys [email protected] | paperkey --output master-key-paper-backup.txt - Revocation certificate:
# Generate a revocation certificate gpg --gen-revoke --output=revocation-cert.asc [email protected]
Store these backups securely in multiple physical locations. Consider using techniques like:
- Splitting secrets across multiple physical locations
- Encrypted USB drives with hidden volumes
- Physical safes or secure storage facilities
- Laminated paper backups for moisture protection
Bridging the Air Gap
While your master key never leaves the air-gapped system, you still need to transfer certain data between your isolated and connected environments.
One-Way Data Transfer Methods
These techniques help maintain security while bridging the air gap:
- Removable media: USB drives or SD cards dedicated to air-gap transfers
- Maintain separate devices for inbound and outbound transfers
- Consider write-once media (like CD-Rs) for some transfers
- Format media between uses
- QR codes: Visual data transfer for smaller amounts of data
- Generate QR codes on air-gapped machine and scan with connected device
- Use multiple QR codes for larger files with tools like qrencode
- Provides natural data size limitations that reduce exfiltration risks
- Optical methods: Camera-based transfers
- Display data as series of barcodes or visual patterns
- Can transfer moderate amounts of data without physical media
- Specialized transfer devices: Hardware designed specifically for secure transfers
- Data diodes (hardware that only allows data flow in one direction)
- Dedicated transfer kiosks with security controls
Transferring Subkeys to Daily Use Systems
The most common transfer operation is exporting subkeys for use on your connected computers:
- On the air-gapped system, export only your subkeys:
# Export only the subkeys without the master private key gpg --export-secret-subkeys --armor [email protected] > subkeys.asc # Also export the public key for importing on the connected system gpg --export --armor [email protected] > public.asc - Transfer files via your chosen secure method
- On the connected system, import the keys:
# Import your public key gpg --import public.asc # Import your subkeys gpg --import subkeys.asc
Security Alert
Media Hygiene
Any media that connects to an internet-connected computer should be considered potentially compromised. Ideally, use one-way flow: dedicated "outbound" media that only ever goes from air-gapped to online systems, and separate "inbound" media for the reverse direction.
Signing Operations
For maximum security when signing critical material (like code releases, important documents, or key certifications):
- Prepare the material on your connected system
- Generate a secure hash of the material:
sha256sum important-document.pdf > document-hash.txt - Transfer the hash to your air-gapped system
- Sign the hash on the air-gapped system:
gpg --detach-sign --armor document-hash.txt - Transfer the signature back to your connected system
- Verify the signature matches the original material:
sha256sum --check document-hash.txt gpg --verify document-hash.txt.asc document-hash.txt
Key Rotation and Management with Air-Gapped Systems
Air-gapped key management adds complexity to routine operations like key renewal or rotation.
Updating Subkey Expiration
When your subkeys approach expiration, update them on your air-gapped system:
- Reconnect with your master key on the air-gapped system
- Edit the key to update expiration dates:
gpg --edit-key [email protected] # In the GPG prompt key 1 # Select first subkey expire # Update expiration key 1 # Deselect key 2 # Select next subkey expire # Update expiration # Repeat for all subkeys save - Export the updated public key and distribute it to key servers and contacts
- Export the updated subkeys for your daily use systems
Creating New Subkeys
Periodically rotating subkeys provides additional security:
- Identify expiring or outdated subkeys
- Create new subkeys on the air-gapped system
- Optionally revoke old subkeys after transition period
- Update all systems and devices with new subkeys
Emergency Revocation
If subkeys are compromised, revoke them using your air-gapped master key:
- On the air-gapped system:
gpg --edit-key [email protected] # In the GPG prompt key 1 # Select the compromised subkey revkey # Revoke this subkey save - Export the updated public key with revocation information
- Publish the updated key to key servers
- Create new subkeys to replace the revoked ones
Advanced Air-Gap Techniques
For those requiring the highest levels of security, consider these additional measures:
RAM-Only Operations
For extremely sensitive operations, consider a RAM-only approach:
- Boot the air-gapped system from read-only media (like a live CD)
- Load keys into RAM only when needed
- Perform operations without writing sensitive material to persistent storage
- Power off completely (not sleep/hibernate) when finished
Physical Security Measures
Enhance the security of your air-gapped system with physical controls:
- Faraday cage enclosures to prevent electromagnetic emissions
- Tamper-evident seals on computer case and ports
- Physical locks on storage locations
- Surveillance and access controls for the physical space
- Secure decommissioning procedures when hardware is retired
Side-Channel Attack Prevention
Sophisticated attackers might attempt to bridge air gaps using side channels:
- Acoustic isolation to prevent sound-based data exfiltration
- Visual isolation to prevent optical or screen-based data leakage
- Power isolation using battery operation or filtered power supplies
- Thermal monitoring to detect unusual heat patterns that might indicate covert operations
- Radio frequency shielding to block electromagnetic emissions
Warning
Balancing Security and Usability
These advanced techniques introduce significant complexity and may be excessive for most users. Implement additional security measures based on your threat model and the sensitivity of your operations.
Air-Gapped Operations with Secure Mail Client
Secure Mail Client supports a workflow designed for air-gapped master keys:
Import Configuration
When setting up Secure Mail Client to work with your air-gapped keys:
- Navigate to Settings > Security > Key Management
- Select "Use subkeys only (air-gapped master key)"
- Import your subkeys exported from the air-gapped system
- Configure automatic detection of key expiration
- Set up reminders for key rotation
Signature Verification Options
For verifying signatures with air-gapped workflows:
- Choose "Generate verification info for air-gapped signing"
- Configure hash algorithm preferences
- Set up preferred transfer methods
Conclusion
Air-gapped key operations represent the pinnacle of cryptographic security practices. While they introduce additional complexity and operational overhead, they provide unmatched protection for your most sensitive cryptographic assets.
By isolating your master keys from network-connected systems, you create a security foundation that can withstand even sophisticated remote attacks. The combination of physical separation, strict transfer protocols, and careful operational security creates a robust defense for your digital identity.
Remember that air-gapped security is not just about technology but also about disciplined processes. Maintaining strict separation between systems and following secure procedures consistently is essential to preserving the integrity of your air-gapped environment.
In the next module, we'll explore advanced threat modeling techniques to help you determine when air-gapped operations are necessary and how to assess other security requirements based on specific threats.
Next Steps
Now that you understand air-gapped key operations:
- Assess your security needs to determine if an air-gapped system is necessary
- Plan your air-gapped system configuration
- Prepare secure data transfer procedures
- Consider migrating your master key to an air-gapped environment
- Learn about Advanced Threat Modeling in our next module